What's Changed
🔒 Security Fix
Mitigates CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.
Fix with minor API changes
For v0.3.8, this option is not available. Upgrade to v0.4.19, v0.5.6, or higher to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers).
Mitigate with backward compatible API
This release mitigates the attack by crashing if a server tries to send a uid-set that represents more than 10,000 numbers. This should be larger than almost all legitimate COPYUID or APPENDUID responses and would limit the array to only 80KB (on a 64 bit system).
For v0.3.8, this option is not configurable. Upgrade to v0.4.19, v0.5.6, or higher to configure this limit.
Please Note: unhandled responses
If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:
limit = 1000
imap.add_response_handler do |resp|
name = resp.name
code = resp.data.code&.name if resp.data.in?(Net::IMAP::ResponseText)
# before 0.4.0:
imap.responses[name].slice!(0...-limit)
imap.responses[code].slice!(0...-limit)
# since 0.4.0:
imap.responses(name) { _1.slice!(0...-limit) }
imap.responses(code) { _1.slice!(0...-limit) }
endMiscellaneous
Full Changelog: v0.3.7...v0.3.8